From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 20 Nov 2017 14:29:55 +0100
Subject: [refpolicy] [PATCH v2 13/19] Make irc user content access optional
In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be>
References: <20171120133001.25744-1-sven.vermeulen@siphos.be>
Message-ID: <20171120133001.25744-14-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

IRC clients do not need to have manage rights on user content at all
times. We make this optional, under the support of the
irc_{read,manage}_{generic,all}_user_content booleans.

To enable simple IRC-based upload/downloads, the irc_t domain does get
manage rights on the xdg_downloads_t type (~/Downloads).

Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 irc.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/irc.te b/irc.te
index d07bfb8..7f34e53 100644
--- a/irc.te
+++ b/irc.te
@@ -114,9 +114,9 @@ miscfiles_read_localization(irc_t)
 
 userdom_use_user_terminals(irc_t)
 
-userdom_manage_user_home_content_dirs(irc_t)
-userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_user_content_access_template(irc, irc_t)
+
+xdg_manage_downloads(irc_t)
 
 tunable_policy(`irc_use_any_tcp_ports',`
 	allow irc_t self:tcp_socket { accept listen };
-- 
2.13.6